Re: Can I hide password in config file?

From: David Nečas (Yeti) <yeti physics muni cz>
To: gtk-app-devel-list gnome org
Subject: Re: Can I hide password in config file?
Date: Sun, 16 Jul 2006 19:11:14 +0200

On Sat, Jul 15, 2006 at 09:33:17PM +0200, Karl Reichert wrote:

I'm using the GLIB Key-value file parser 
(http://developer.gnome.org/doc/API/2.0/glib/glib-Key-value-file-parser.html) 
to create or read from a config file. The contents of this file is 
servername, port, some other things and a password for accessing this server.
The user can use an options-dialog in my application to set those data and my 
application will write it to this file, so he hasn't to bother with the 
syntax.

At the moment the password is clearly visible, as it is a normal key value. 
I'm looking for a way to protect the password. It should be stored in that 
file but like /etc/password.


You cannot store it `as in /etc/passwd', read crypt(3) for
details (assuming password as it was stored in /etc/passwd
where it is not stored anymore).  The short reason is that
the password is not intended to be obtainable (to reveal it
one has to search the password space).

Your app does not need to check the passwords, it needs to
obtain the passwords.  And if your app can do that, anyone
can.  So you have the following possibilities:
- do nothing, just make sure the file is 0700 (this advice
  applies to all following too)
- use some mild obfuscation like Base64 (GLib 2.12 can do
  Base64) to make yourself feel better
- encrypt the passwords with a master password the user has
  to enter to decrypt and obtain them -- see e.g. Firefox

Yeti


--
Anonyms eat their boogers.

References:
- Can I hide password in config file?
  - From: Karl Reichert

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]